The first professional version of the Metasploit Framework was made available today, more than a decade after it was conceptualized by inventor HD Moore, and less than a year after being acquired by vendor Rapid 7 LLC.
For the first time, we really have a single product that really has most of the features used during a given pen-test.
chief architect of Metasploit, CSORapid7
The Metasploit Framework is an exploit framework used by security pros in corporations, government agencies and professional consulting firms as a network and Web application penetration testing tool.
Moore said Metasploit Pro features the ability to enable multiple pen-testers to have simultaneous remote access through compromised hosts to easily collaborate on client engagements. Enhanced Web application scanning, auditing and reporting capabilities, as well as the ability to run social engineering campaigns, round out the features in Metasploit Pro that aren't available in Metasploit Express or other commercial or open source versions of the tool.
"You can have multiple users working on the same pen-test at the same time," he said. "So if you are doing an engagement, and one person is doing a Web app scan, and another is running a social engineering campaign, as soon as you compromise a target, every single one of those users can now run attacks and go even further through those pivots.
The enhanced VPN pivoting offers encrypted access through a full Ethernet interface that's a direct tap into the remote network, Moore said.
"At that point, you can use Metasploit Pro to continue to compromise targets internally, or you can use any other tool you like. If you have a tool you use during pen-testing that doesn't integrate with Metasploit today, or it's not a Metasploit module, you can now start using all your other tools through the pivot connection," Moore said. "Folks who have seen the pivot connection capabilities are blown away by it."
Metasploit Pro is licensed based on a named user, and not on the number of installations or IP address ranges, Moore said. Pen-testers can install copies of the tool anywhere from shared servers to the cloud, and it would be accessible from anywhere.
"If you have a shared server environment and you have an entire team going through one shared server for it, as soon as you set up VPN pivot you can turn that shared server into a NAT (network address translation) gateway and start routing all of your traffic through that single point anywhwere on a network you've compromised already," Moore said. "So basically, you're turning Metasploit Pro into a router into all of your compromised systems."
Moore said Metasploit has had the capability for 18 months to do raw network sniffing, but for the longest time, he wanted to be able to read and write raw traffic onto a remote network. Metasploit Pro can do that without modifiying the remote network; no drivers are installed, no disk access is achieved, and no files are written to the hard drive, Moore said.
"All we're doing is in-memory hooking of the network drivers," Moore said, adding that right now this is limited to Windows targets. Version 3.5.1, due in December, is expected to have Linux support.
Metasploit Pro also includes the ability to set up and run social engineering campaigns. Pen-testers will be able to set up websites that serve exploits, clone websites that load exploits in the background, conduct email campaigns against targeted user groups that include infected attachments or links to sites that serve exploits. Client-side intrusions based on these campaigns are a top attack vector, but traditionally it's something that pen-testers avoided because of their simplicity to pull off, Moore said. That has changed and in deference to community demand, Metasploit Pro provides features that automate these campaigns, in addition to all the pivoting and reporting capabilities found in other features of the new tool.
Finally, Metasploit Pro's Web application scanning goes beyond previous iterations of the tool that targeted a single application. Moore said you can configure Metasploit Pro to identify and exploit all Web servers, administrative interfaces, routers, switches and anything else running a Web server.
"If you look at existing Web app assessment tools, you've got vulnerability scans that identify but don't go to the next step and exploit a vulnerability," Moore said. "Those tools are designed to be single-target tools."